A Salutary Reminder for Employers to Consider Data Protection in the Interview Process
Recently, it was reported that a candidate interviewing for pupillage with a dozen barristers chambers used the GDPR to gain access to his interview notes. This is not a new entitlement, but more people are aware of the rights and less businesses prepared. Some of the chambers, who should not be oblivious to the workings of the law, accidentally revealed sensitive information about third parties when complying with the request and others sent all data, which they could have redacted. Even those practising the law are not immune to its reach and making mistakes, which serves as a stark reminder for all employers or potential employers, to ensure they know the law around data subject access requests (DSAR). It is always advised that when in doubt, you contact a legal professional.
Whilst the concept has been around for a long time, a person’s right to make a DSAR is protection enshrined in the General Data Protection Regulation (GDPR). It is also a fundamental right under the Charter of Fundamental Rights of the European Union (2012/C 326/02). Article 8(2) says that "everyone has the right of access to data" which is collected about them. However, what data they are entitled too should be considered as it's not as easy at ‘everything’.
What should an employer do when they receive a request?
It can be a difficult and time-consuming task to effectively respond to a DSAR. It is advised that businesses have an internal procedure in place to deal with the requests as efficiently as possible, which must mirror their Privacy and Data Protection Policies. This policy should be circulated to all staff and include key contacts who can assist in dealing with the DSAR and it should be concise and achievable. Remember, the deadline under the GDPR for dealing with a DSAR is normally one month. You must act quick to ensure this deadline can be met.
It is important to understand the information that is being asked for. Do not be afraid to converse with the individual issuing the DSAR or consider redacting or refusing data that they are not legally entitled to. More often than not, the actual data the individual is looking for will be a lot less than you expect and your liability can be tempered.
Extent of Information to collect
Much of the data you hold about an individual will relate to others as well. Such data will almost inevitably require redaction. Article 15 contains no limit on the personal data that an individual can ask for but EU law provides some good guidance. First, the principle of proportionality requires that measures adopted should not exceed the limits of what is appropriate and necessary to achieve the objectives pursued by the legislation in question. The subject Access Code also confirms that an employer is not required to do things that would be unreasonable or disproportionate to the importance of providing subject access.
The general consensus is that you should try to find as much information as possible in line with the request but do not have to employ any unreasonable methods in your search.
Be wary of data breaches
It is paramount that the privacy of third-party data is protected when responding to a DSAR. Generally, such data should be redacted or removed.
However, if the third party has provided their consent to disclose the data, or where the employer determines that it would be reasonable to disclose the data without consent, it is possible to provide the data. If you believe a breach has occurred, make a report to the ICO as soon as possible to aid in rectifying the breach and protecting yourself.
Document the process
If the person issuing the DSAR does not believe you have complied with your obligations, they may either apply to the court for a compliance order or make a complaint to the ICO. It is useful, if this happens, that you have a well-documented record of what you looked for and why you did this, including why you did not do something.
If you are not going to hire that person you can destroy your notes, in compliance with your policy be it on a daily, weekly, or monthly basis. Restricting how long you hold this data will aid you in such requests by reducing your workload. Retaining data too long may also in itself be a breach as if you do not hire a candidate unless they consent otherwise, holding their data say for 6 months or a year would be seen as unreasonable and should have been destroyed.
Policy and Process
Data protection is an extremely important and vast area of the law that is updating regularly. The introduction of more and more technology into everyday life is going to see a huge increase in DSARs. A business should have clear policies and guidelines that are clear to all its employees. If necessary arrange training, monitor, and have someone appointed to oversee data gathering, destruction and disclosure. If you need any advice or assistance in implementing policies or responding appropriately, please get in touch with our experienced team at A City Law Firm who will be able to advise you on compliance.